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a computer readable medium for determining a public key having [a] an optionally 
reduced length and a [factor p] number p . usiflg GY(p) or GF(/r) arithmetic to achieve GF(p 6 ) 
security, without explicitly constructing GF(/r), comprising: 




a computer program means in said computer readable medium, for selecting a number [q] 
g and a number [p] p such that [p**2 - p +/1] p 2 -p yl is an integer multiple of [q] g\ 



a computer program means in said compij 
g of order [q] g, where [g] g and its conjugates i 
- Bx**2 + (B**p)x -1] FaOO =X*- Bjf + B p ) 



■ rea 



(be 



[able medium, for selecting a number [g] 
►resented by [B] 5, where [Fg(x) = x**3 
the roots are [g, g**(p-l), g**(-p)] g. f~ 



a computer program means inlaid computer readable medium, for representing the 
powers of [g] g using their trace ove/the field GF(p 2 ); 

a computer program means fn said computer readable medium, for selecting a private 
key; and 

a computer program means in said computer readable medium, for computing a public 
key as a function of [g] g and thef private key . 



19. (AMENDED) A business method ometermining a public key having [a] an optionally 
reduced length and a [factor p] number p . losing GF(p) or GF(p 2 ) arithmetic to achieve GF(p 6 ) 
security, without explicitly constructing QF(p 6 ), comprising the steps of: 




selecting a number [q] g and a lumber [p] p such that [p**2 - p + 1] p 2 -p + 1 is an 
integer multiple of [q] g\ 



selecting a number [g] g of yord^ 
by [B] B 9 where [Fg(x) = x**3 - Bk**^ 
are [g, g**(p-l), g**(-p)] g, f l /g p ; J 



where [g] g and its conjugates can be represented 
\p)x -1] FJX) =X 3 -BX 2 + B p X- \ and the roots 



representing the powe/s of [g]^ using their trace over the field GV(p 2 )\ 
selecting a private kfey; and 

computing a pubJic key as a function of [g] g and the private key . 



REMARKS 

The above amendments are presented to correct minor inconsistencies and/or 
typographical errors in the specification and to better define the disclosed invention. No new 
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matter is presented in the foregoing amendments. Applicant respectfully requests entry of the 



The Assistant Commissioner is hereby authorized to charge any additional fees which 
may be required for the timely consideration of this amendment under 37 C.F.R. §§ 1.16 and 
1.17, or credit any overpayment to Deposit Account No. 13-4503, Order No. 0225-4188 



SENDER'S ADDRESS; 
Morgan & Finnegan L.L.P. 
1775 Eye Street, N.W. Suite 400 
Washington, D.C. 20006 
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foregoing. 




Respectfully submitted, 
MORGAN & FINNEGAN, L.L.P. 
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RELATED PATENT APPLICATIONS ^&qbAS&^ 

The following copending US Patent applications are directed to related inventions and are 
incorporated herein by reference. 

US Patent application entitled "Cyclotomic Polynomial Construction Of r ^^ereet l 
tWMte Logarithm Cryptosystems Over Finite Fields", Application No. 08/800,669, 
Filed: February 14, 1997, Applicant: Arjen K. Lenstra. 

US Patent application entitled "Generating RSA Moduli Including A Predetermined 
Portion", Application No. 09/057,176, Filed: April 8, 1998, Applicant: Arjen K. Lenstra. 

BACKGROUND OF THE INVENTION 
Field of the Invention ^ 

The invention disclosed broadly relates to public key cryptography and more particularly 
relates to improvements in key generation and cryptographic applications in public key 
cryptography. 

Related Art 

The generation of a modulus as part of a public key according to the Rivest-Shamir- 
Adleman (RSA) cryptographic method is described in U.S. Patent No. 4,405,829 (Rivest 
et al.), "Cryptographic Communications System and Method", the disclosure of which is 
hereby incorporated by reference. In a set-up phase of the RSA scheme, a participant 
picks two prime numbers, Q)]jj and [g]~2> each having a selected number of bits, such as 
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512 bits, with [p] £_not equal to [q] The participant keeps [jilliand [^[3 secret. The 
participant computes an RSA modulus [n] rc, with = [g]fg * [ql#. When [pjjj and 
[q] 2 each have 512 bits, [n] has 1023 or 1024 bits. The participant picks an RSA 
exponent [e] e that has no factors in common with ([p] iHXMjZ-l)- For efficiency 
5 purposes, the RSA exponent [e] e is often chosen of much shorter length than the RSA 
modulus. When the RSA modulus [n] 71 has 1024 bits, the RSA exponent j^Jjg typically 
has at most 64 bits. The owning participant makes the public key (jn] [e]^) available 
to other participants. 

During operational use of the RSA scheme, other participants use the public key 
10 ([n] [e] ^) to encrypt messages for the participant which owns that key. The owning 
participant is able to decrypt messages encrypted with the public key ([n] [e]^) due to 
possession of the secret prime numbers [p]j? and [q] 

Participants must store not only the public key of other participants, but also 
identifying information such as the name, address, account number and so on of the 
15 participant owning each stored public key. There are problems with this situation. 

One problem with the present technique for using the RSA encryption scheme is 
that, although the RSA modulus [n] n is 1024 bits, the amount of security provided 
actually corresponds to only 512 bits, since an attacker who knows one of [p] j| and [q] g 
can readily obtain the other of and [q] g. Instead of having to store 1024 bits to 
20 obtain 512 truly secure bits, it is desirable to store far fewer bits, such as approximately 
512 bits, to obtain the 512 truly secure bits. 

Another problem with the present technique is that the long bit-length of the 
public keys imposes a significant bandwidth load on telecommunications devices, such as 
wireless telephone sets. It is desirable to reduce the amount of bandwidth load as much 
25 as possible. 

Generating RSA moduli having a predetermined portion has been considered by 
Scott A. Vanstone and Robert J. Zuccherato in "Short RSA Keys and Their Generation", 
J. Cryptology, 1995, volume 8, pages 101-114, the disclosure of which is hereby 
incorporated by reference. 

30 In "Finding a Small Root of a Bivariate Integer Equation; Factoring with High 

Bits Known", U. Maurer ed., EUROCRYPT '96 Proceedings, pages 178-189, Springer 
Verlag 1996, the disclosure of which is hereby incorporated by reference, Don 
Coppersmith has analyzed the security of the Vanstone methods, and found that all but 
one of Vanstone's methods provide inadequate security. Specifically, for the Vanstone 

35 methods having predetermined high order bits, the RSA modulus [n] n is generated in 
such a way that somewhat more than the high order ((l/4)[log2]b2 n) bits of [p] j> are 
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revealed to the public, which enables discovery of the factorization of the RSA modulus 

[n] thus leaving the scheme vulnerable to attack. 

5 SUMMARY OF THE INVENTION 

The invention disclosed provides improvements in key generation and 
cryptographic applications in public key cryptography, by both reducing: 1) the bit- 
length of public keys and other messages, thereby reducing the bandwidth requirements 
10 of telecommunications devices, such as wireless telephone sets, and 2) the computational 
effort required to Si^ate keys, td encrypt/decrypt and to generate/verify digital 
signatures. 

The method of the invention determines a public key having a reduced length and 

^ :<T ^™^™^ ^^^^^^^^^ 

a factor [p] £, using GF(p) or GF(p ) arithmetic to achieve GF(p ) security, without 
15 explicitly constructing GF(p 6 ). The method includes the step of selecting a number [gfl 
and a prime number that is a divisor of [q\q - [pj,^+ 1- Then the method selects 
an element [g]g of order [q]g in GF(p ), where [g]g and its conjugates can be represented 
by 11, where W ^^^^^^^ ^^ ^^^^^^S^^i. and the roots 
of fll^ Then the method ^presents the 

20 powers of [g]g using their trace over the field \GF(fx^ GFf^)l The method then selects 
a private key. The method then computes a public key as a function of [g]l and the 
private key. The public key can be used to encrypt a message and the public and private 
key can be used to decrypt the message. The public and private key can be used for 
signing a message and the public key can be used for verifying the signature. A Diffie 
25 Hellman key exchange or other related scheme can be conducted using the public key 
generated by the method. The resulting invention reduces the bit-length of public keys 
and other messages, thereby reducing the bandwidth requirements of telecommunications 
devices, and reduces the computational effort required to encrypt/decrypt and to 
generate/verify digital signatures. 

30 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a diagram of an example network in which the invention can be carried out. 

35 
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Figure 2 is a functional block diagram of an example server computer in the network of 
Figure 1, in which the invention can be carried out. 

Figure 3 is a functional block diagram of an example client computer in the network of 
5 Figure 1, in which the invention can be carried out. 

Figure 4 is a flow diagram of the method performed in a server and/or a client in the 
network of Figure 1, in accordance with the invention. 

10 Figure 5 is a flow diagram of the preferred embodiment of the method for selection of 
"p", and "[fill", as shown in section 2.1. 

Figure 6 is a flow diagram of the arithmetic method to support key generation, as shown 
in section 2.4.4. 

15 

Figure 7 is a flow diagram of the method of key generation, as shown in section 3.3.8. 

Figure 8 is a flow diagram of the method of Diffie Hellman key exchange, as shown in 
section 4. 1 , using keys generated by the method of Figure 7. 

20 

Figure 9 is a flow diagram of the method of ElGamal encryption, as shown in section 4.2, 
using keys generated by the method of Figure 7. 

Figure 1 OA is a flow diagram of the arithmetic method to support generating digital 
25 signatures, as shown in section 2.5.3. 

Figure 1 OB is a flow diagram of the method of generating digital signatures, as shown in 
section 4.3., using keys generated by the method of Figure 7. 

30 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

The Network and System Environment of the Invention 

35 The invention is a method, system, computer program, computer program article of 

manufacture, and business method for providing improvements in key generation and 

4 
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cryptographic applications in public key cryptography, by both reducing: 1) the bit- 
length of public keys and other messages, thereby reducing the bandwidth requirements 
of telecommunications devices, such as wireless telephone sets, and 2) the computational 
effort required to generate keys, to 1 encrypt/decrypt and to generate/verify digital 
5 signatures. 

Figure 1 is a diagram of an example network in which the invention can be carried 
out. The method of the invention can be performed, for example, in a server computer 
connected over a network to a client computer. The method can also be performed, for 

10 example, in a client computer. Figure 1 shows a server computer 102 connected over the 
Internet network 104 to three client computers, the personal computer 106, the main 
frame computer 108, and a microprocessor in the mobile phone client 130. The mobile 
phone client 130 is connected via the mobile telephone switching office 110 and the radio 
frequency base station 120 to the network 104. A database 1 12 is connected to the server 

15 102, which stores public keys labeled (1), (2), and (3). Public key (1) was generated, in 
accordance with the method of the invention, in the personal computer client 106, and 
was transmitted over the network 104 to the server 102, for storage in the database 112. 
Public key (2) was generated, in accordance with the method of the invention, in the main 
frame client 106, and was transmitted over the network 104 to the server 102, for storage 

20 in the database 112. Public key (3) was generated, in accordance with the method of the 
invention, in the microprocessor of the mobile phone client 130, and was transmitted to 
the base station 120 over its radio frequency link, and via the mobile telephone switching 
office 110 and the network 104 to the server 102, for storage in the database 112. Public 
key (4) was generated, in accordance with the method of the invention, in the server 

25 computer 102, and was transmitted over the network 104 to each of the clients 106, 108, 
and 130. Each client 106, 108, and 130 generated, in accordance with the method of the 
invention, a private key respectively labeled (1), (2), and (3) which remains stored in the 
respective client. The server 102 generated, in accordance with the method of the 
invention, a private key labeled (4) which remains stored in the server. IA11 public keys 

30 are properly certified using standard key certification methods as can be found in the 
Cryptographic literature, such as the Handbook of Applied Cryptography/ by A.jJ 
Menezes, P.C. van Oorschot and S.A. Vanstone, CRC Press, 1997 J 

Figure 2 is a functional block diagram of an example server computer in the network of 
35 Figure 1, in which the invention can be carried out. The server computer 102 includes a 
memory 202 connected by the bus 204 to the database 112, a hard drive 206, a CPU 
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processor 208, and a network interface card 210 which is connected to the Internet 
network 104. The memory 202 includes an input buffer 232 and an output buffer 234. 
The memory 202 also includes a "g' buffer 236, a "g" buffer 238, a "g" buffer 
240, and a buffer 242. See sections 1, 2, and 3, below, for a discussion of the 

5 values "Bjg", n g| ,! , "g", and "HI"- The memory 202 also includes a private key 
buffer 244, and a public key buffer 246. The memory 202 also includes a key generation 
program 400, whose flow diagram is shown in Figure 4, which operates in accordance 
with the method of the invention. The memory 202 also includes an encryption program 
250 that uses the keys generated by the key generation program 400. The method of 

10 ElGamal encryption is described in section 4.2. The memory 202 also includes a digital 
signature signing and verifying program 252 that uses the keys generated by the key 
generation program 400. The arithmetic method to support generating digital signatures is 
described in section 2.5.3 and the method of generating digital signatures is described in 
section 4.3. The memory 202 also includes a key exchange program 254 that uses the 

15 keys generated by the key generation program 400. The method of Diffie Hellman key 
exchange is described in section 4.1. The memory 202 also includes an operating system 
program 220. The programs stored in the memory 202 are sequences of executable steps 
which, when executed by the CPU processor 208, perform the methods of the invention. 

20 Figure 3 is a functional block diagram of an example client computer in the network 

of Figure 1, such as the client 106. The client computer 106 includes a memory 302 
connected by the bus 304 to the display interface 314, the keyboard and mouse interface 
312, a hard drive 306, a CPU processor 308, and a network interface card 310 which is 
connected to the Internet network 104. The memory 302 includes an input buffer 332, an 

25 output buffer 334, a "g" buffer 336, a "11" buffer 338, a "H" buffer 340, a "HI" 
buffer 342, a private key buffer 344, and a public key buffer 346. The memory 302 also 
includes the key generation program 400, whose flow diagram is shown in Figure 4, 
which operates in accordance with the method of the invention. The memory 302 also 
includes the encryption program 250 that uses the keys generated by the key generation 

30 program 400. The memory 302 also includes a digital signature signing and verifying 
program 252 that uses the keys generated by the key generation program 400. The 
memory 302 also includes a key exchange program 254 that uses the keys generated by 
the key generation program 400. The memory 302 also includes an operating system 
program 320 and a browser program 106'. The programs stored in the memory 302 are 

35 sequences of executable steps which, when executed by the CPU processor 308, perform 
the methods of the invention. 
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Figure 4 is a flow diagram of the method performed in either the server computer 
102 of Figure 2, or in the clients 106, 108, and/or 130 in accordance with the invention. 
Program 400 is a sequence of executable steps that embody the method of Figure 4. The 
5 method begins at 402 with the step 404 of selecting "H" and "HH". The method 
continues with the step 406 of selecting 111!". Then the method continues with the step 
408 of representing the powers of §[p]l" using their trace. Then the method continues 
with the step 410 of selecting a private key. Then the method continues with the step 412 
of computing a public key as a function of "flflf" and the private key. See sections 1, 2, 
10 and 3, below, for a discussion of the values "Hi", and "^f ". Finally, the method 

concludes with the step 414 of using the public key and the private key in encryption and 
decryption, in digital signature signing and verification, and in key exchange and related 
applications. See section 4, below, for a discussion of these applications. 

15 

1. Introduction 

The well known Diffie-Hellman (DH) key agreement protocol was the first practical 
solution to the key distribution problem, allowing two parties that have never met to 

20 establish a shared secret key by exchanging information over an open channel. In the 
basic DH scheme the two parties agree upon a generator g of the multiplicative group 
GF(p)* of a prime field GF(p) and they each send a random power of g to the other party 
(cf. Section 4 for a full description). Thus, assuming both parties know p and g, each 
party transmits about \og 2 (p) bits to the other party. 

25 In [4] it was suggested that finite extension fields can be used instead of prime 

fields, but no direct computational or communication advantages were implied. In [8] a 
variant of the basic DH scheme was introduced where g generates a relatively small 
subgroup of GF(p)* of prime order q. This considerably reduces the computational cost of 
the DH scheme, but has no effect on the number of bits to be exchanged. In [2] it was 

30 shown for the first time how the use of finite extension fields and subgroups can be 
combined in such a way that the number of bits to be exchanged is reduced by a factor 3. 
More specifically, it was shown that elements of an order q subgroup of GF(p 6 )* can be 
represented using 2*log 2 (p) bits if q divides p 2 - p + 1. Despite its communication 
efficiency, the method of [2] is rather cumbersome and computationally not particularly 

35 efficient. 

7 
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Herein we present a greatly improved version of the method from [2] that 
achieves the same communication advantage at a much lower computational cost. 
Furthermore, we prove that using our method in cryptographic protocols does not affect 
their security. The best attacks we are aware of are Pollard's rho method in the order q 
5 subgroup, or the Discrete Logarithm variant of the Number Field Sieve in the full 
multiplicative group GF(p 6 )*. With primes p and q of about 1024/6 « 170 bits the security 
of our method is equivalent to traditional subgroup systems using 170-bit subgroups and 
1024-bit finite fields. But our subgroup elements can be represented using only about 
2*170 bits, which is substantially less than the 1024-bits required for their traditional 

10 representation. The amount of computation required by a full exponentiation in our 
method is about the same as the time required by a full scalar multiplication in a 170-bit 
Elliptic Curve cryptosystem, and thus substantially less than the time required by a full 
1024-bit RSA exponentiation. As a result our method may be regarded as a compromise 
between RSA and Elliptic Curve cryptosystems (ECC). We get security similar to RSA 

15 for much smaller public key sizes than RSA (though somewhat larger than ECC public 
keys), but we are not affected by the uncertainty of ECC security. Furthermore, key 
selection for our method is trivial compared to RSA, and certainly compared to ECC. 

Apart from its performance advantages, the most intriguing and innovative aspect 
of our method is that it is the first method we are aware of that uses GF(p 2 ) arithmetic to 

20 achieve GF(p 6 ) security, without explicitly constructing GF(p 6 ). Denote by g an element 
of order q > 3 dividing p 2 -p + 1. Because p 2 -p + 1 divides the order p 6 - 1 of GF(p 6 )* 
this g can be thought of as a generator of an order q subgroup of GF(p 6 )*. As shown in 
[6], since p 2 -p + 1 does not divide any p s - 1 for any integer s smaller than and dividing 
6, the subgroup generated by g cannot be embedded in the multiplicative group of any 

25 true subfield of GF(p 6 ) (assuming q is sufficiently large). We show, however, that 
arbitrary powers of g can be represented using a single element of the subfield GF(p 2 ), 
that such powers can be computed using arithmetic operations in GF(p\ and that 
arithmetic in the extension field GF(p 6 ) can be avoided. Moreover, our exponentiation 
method is much more efficient than other published methods to compute powers of 

30 elements of order dividing p 2 - p+ 1 . 

In Section 2 we describe our method to represent and calculate powers of 
subgroup elements. In Section 3 we explain how a proper subgroup generator can 
conveniently be found using the method from Section 2. Cryptographic applications are 
given in Section 4, along with comparisons with RSA and ECC. In Section 5 we prove 

35 that the security of our method is equivalent to the security offered by traditional 
subgroup approaches. Extensions of our method are discussed in Section 6. 
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2. Subgroup representation and arithmetic 

5 1t± 2A System setup 

Let p = 2 mod 3 be a prime number such that 6*log 2 (p) « 1024 and such that 
<(> 6 {p) = p 2 - p + 1 has a prime factor q with log2(<7) ^ 160. Such p and q (or of any other 

reasonable desired size) can quickly be found by picking a prime q = 7 mod 12, by 
finding the two roots r\ and r 2 of x - x + 1 = 0 mod q, and by finding an integer k such 

10 that Ti + k*q is 2 mod 3 and prime for i = 1 or 2. If desired, primes <jr can be selected until 
the smallest or the largest root is prime, or any other straightforward variant that fits 
one's needs may be used, for instance to get \ogi{q) « 180 and 6*log2(p) ~ 3000, i.e., 
log2(p) considerably bigger than \og 2 {q)- From q = 7 mod 12 it follows that q = 1 mod 3 
so that, with quadratic reciprocity, x 2 - x + 1 = 0 mod q has two roots. It also follows that 

15 9 = 3 mod 4 which implies that those roots can be found using a single ((<?+l)/4) th 
powering modulo q. 

By g e GF(p 6 ) we denote an element of order q. It is well known that g is not 
contained in any proper subfield of G¥(p 6 ) (cf [4]). In the next section it is shown that 
there no need for an actual representation of g and that arithmetic on elements of GF(p 6 ) 
20 can be entirely avoided. Thus, there is no need to represent elements of GF(/? 6 ), for 
instance by constructing an irreducible 3 rd degree polynomial over GF(p 2 ). A 
representation of GF(p 2 ) is needed however. This is done as follows. 

From p = 2 mod 3 it follows that p mod 3 generates GF(3)*, so that the zeros a and 
a p of the polynomial (X 3 - l)/(X -\) = X 2 +X + 1 form an optimal normal basis for 

25 GF(p 2 ) over GF(p). Because a 1 =ar' mod3 , an element x e GF(p 2 ) can be represented as 
x 0 a + x x a p =x^a + x x a 2 for;co,xi € GF(p), so thatx' = xga p +xfa 2p =x ] a + x Q a 2 . 

Figure 5 is a flow diagram of the method for selection of "fjpjijjS", as shown in 
section 2.1. 

2.2 Cost of arithmetic in G¥(p 2 ) 

30 It follows from the last identity that p ih powering is for free in GF(p 2 ). A squaring in 
can be carried out at the cost of 2 squarings and a single multiplication in GF(p), 
where as customary we do not count additions in GF(p). Straightforward multiplication in 
GF(p 2 ) takes four multiplications in GF(p), but this can trivially be reduced to three by 

9 

13023 1 



0225-4188 



using a simple Karatsuba-like approach (cf. [5, section 4.3.3]): to compute (x 0 a + *\C?) * 
(yoa + y\C?) it suffices to compute xo*yo, x \*yu and (x 0 + xi)*(y 0 + after which xo*y\ 
+ x\*yo follows using two subtractions. 



5 2.3 Compact representation of powers of g and their conjugates 

We present a number of straightforward results that show that powers of g, up to 
conjugacy, can be represented using a single element of GF(p 2 ). 

We recall the definition of the trace function Tr(x) from GF(p 6 ) onto GF(p 2 ) mapping x to 

2 4 

10 x + x p +x p . Because the order of x g GF(p 6 )* divides p 6 - 1 the function is well 
defined. For jc, y e GF(p 6 ) and c e GF(p 2 ), 7r(;c+y) = 7r(;t) + Tr(y) and 7V(cc) = c*7V(x). 
That is, 7>(x) is GF(p 2 )-linear. 

Lemma 2.3.1. The minimal polynomial of g over G¥(p 2 ) is X 3 -BX 2 +B p X-\ g 
, G¥(p 2 )[X\ with B = g + g p - l +g- p e GF(p 2 ). 



15 



25 



Proof. Because g is not contained in any proper subfield of GF(p 6 ) it is a root of a unique 
monic irreducible polynomial F(X) = X 3 -BX 2 + Qf-£> g GF(p 2 )[A]. Because 

2 2 2 4 

F(x)' = F(X P ) the roots of F(X) are g and its conjugates g p and g p . Because 
the order q of g divides p 2 - p + 1 and because p 2 =p - 1 mod (p 2 - p + 1) and p 4 s -p 
20 mod (p -p + 1), we find thatg^ and g p = g~ p so that 



and 

Note that B = Tr(g). From F(g~ p ) = 0 it follows that 



g -3p _ Bg -2P + Cg -P _ x = g -ip { i- Bg P + Cg 2 " - g ip ) = 
g- 3p (\-B Up g+C Up g 2 -g 3 f = 0. 

Because F(X) is the unique monic irreducible polynomial in GF(p 2 )[X\ that has g as a 
30 root it follows that B = C Up , i.e., C = B P , which finishes the proof. 

Remark 2.3.2. The identity C = B p 'm the proof of Lemma 2.3.1 also follows from 

c = g*sT x + g*g~ p + g°~ x *g~ p =g°+g l - p + g- ] 

10 
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and 

B p =(g+g^ { +g- p r=g p +g- l +g- p 

since p 2 -p = -1 mod (p 2 -/?+l) and -p 2 = l-p mod ip 2 -p+\). 

5 Based on Lemma 2.3.1 it is tempting to represent g and its conjugates by 7>(g). We show 
that a result similar to Lemma 2.3.1 holds for any power of g and its conjugates. 
Consequently, g and its conjugates can be represented by Tr(g n ). For notational 
convenience we use the following definition. 

10 Definition 2.3.3. Let T(n) = Tr(g") e GF(p 2 ). Note that T(n) = g n + g np ~ n + g np and that 
T(l) = B with B as in Lemma 2.3.1 . 

Lemma 2.3.4. T(np) = T{nf = g"" + g*"'* + g np = r(-w). 

Proof. Immediate from the definition of T(n) and from 
15 + g n P 2 ' n P + g"^ 2 = g ~ n + ^ + = j\rri) 

as in Remark 2.3.2. 

Lemma 2.3.5. For any integer n the roots of the polynomial X 3 - T{ri)X 2 + T(n) p X -I 
e GF(p 2 )[X] are g n and its conjugates g npl = g np ~ n and g np4 = g~ np . 

20 Proof. We compare the coefficients with the coefficients of the polynomial 
(X-g)(X-g n ^ n )(X-g- np ). The coefficient of X 2 follows from Definition 2.3.3, the 
constant coefficient from g n + n P- n - n P = i ? and the coefficient of X from 

g n+np-n + + np-n-np = g np + n-np + -* 

and Lemma 2.3.4. 

25 

2.4 Computing jT(/i) for arbitrary n 

We show that T(n) can efficiently be computed for any non-negative integer n. 
Lemma 2.4.1. T(u+v) = * T(v) - 7^ * T(u-v) + T(w-2v). 

30 Proof. Immediate from the definition of T(u) and r(vf = T(-v) (cf. Lemma 2.3.4). 

11 

13023 1 



0225-4188 



Corollary 2.4.2. Let B = 7(1) as in Lemma 2.3.1. 

/. T(2n) = T(nf - 2T(nf; 

it 7(/2+l) = B * T(n) -B p * 7(«-l) + 7(/2-2); 

Hi. T{2n-\) = T(n) * T(n-\) - B * T{n-\f + T(n-2f. 

5 iv. 7(2/*-3) = T(n-2) * 7(«-l) -B p * T(n-lf + 7(/2y\ 

Proof. 

i. This follows from Lemma 2.4.1 with u = v = n 9 7(0) = 3, and Lemma 2.3.4: 
T(2n) = T{nf - T{nf * T(0) + T(-n) = T{nf - 3T(nf + T{nf = T{nf - 2T{nf. 
10 ii. This follows from Lemma 2.4.1 with w = n and v = 1 . 

iii. This follows from Lemma 2.4.1 with u = n,v = n-l and Lemma 2.3.4. 

iv. This follows from Lemma 2.4.1 with u = «-2, v = n-\ and Lemma 2.3.4. 

Definition 2.4.3. Let S{n) = (T(n-2), T(n-\\ T(n)) for n > 0, where T{-\) = T(\f = B p 
1 5 (cf. Lemma 2.3.4) and T(0) = 3. 

Algorithm 2.4.4 for the computation of T(n) given B = 7(1). Given B (and B p \ we 
show how S(n+l) and 5(2/2) can be computed based on S(n). Computation of T(n) for 
arbitrary n then follows using the ordinary square and multiply method based on 5(1) = 
(B p , 3, B) (cf. Definition 2.4.3). 

20 • S(n+l) can be computed from S(n) using Corollary 2.4.2.H. This takes two 
multiplications in GF(p 2 ). 
• S(2n) can be computed by first using Corollary 2.4.2.i to compute 7(2/2-2) and T(2n) 
given S(n\ at the cost of two squarings in GF(p 2 ), followed by an application of 
Corollary 2.4.2.iii to compute 7(2/7-1) at the cost of two multiplications in GF(p 2 ). 
25 In both steps we use that pth powering is for free in GF(p 2 ). Figure 6 is a flow diagram of 
the arithmetic method to support key generation, as shown in section 2.4.4. 

Theorem 2.4.5. Let w(n) denote the number of ones in the binary expansion of n. The 
representation T(n) of the nth power of g and its conjugates can be computed at the cost 
30 o/2*log 2 (/2) squarings in GF(p 2 ) and 2*w(n) + 2*log 2 (/2) multiplications in GF(p 2 ). 

Proof. Immediate from Algorithm 2.4.4. 
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Corollary 2.4.6. With w(n) as in Theorem 2.4.5, the representation T(n) of the nth power 
of g and its conjugates can be computed at the cost of 4*log2(«) squarings and 
6*w(«)+8*log2(/2) multiplications in GF(p). 

5 Proof. Immediate from Theorem 2.4.5 and 2.2. 

Remark 2.4.7. Assuming that w(n) « (log2(«)/2) and that a squaring in GF(p) takes 80% 
of the time of a multiplication in GF(p), we find that the computation of T{ri) for n « q 
can be performed at an expected cost of about 14.2*log 2 (<jr) multiplications in GF(p). This 
is more than 60% faster than the 37.8*log 2 (^) multiplications in GF{p) required by the 
10 method from [4] where powers of g are more traditionally represented as elements of 
GF{p 6 ) and which is substantially faster than standard methods to deal with subgroups. 
For the last estimate we assume that log2(<7) ~ log2(p). If elements of <g> are represented 
using a 3 rd degree extension of GF(p 2 \ then exponentiation would take 42.3*log2(#) 

.... ... 2 * 

multiplications in GF(p), due to the fact that arithmetic in GF(p ) is fast and because an 
15 extension polynomial of the special form X* - BX 1 + B P X - 1 may be used. Note that, 
unlike the methods from for instance [1], we do not assume that p has a special form. 
Using such primes leads to additional savings by making the arithmetic in GF(p) faster. 

Corollary 2.4.2. iv allows us to replace the standard square and multiply method by the 
20 less well known binary method, thereby saving some multiplications. 

Algorithm 2.4.8 for the computation of T(n) given B = 7(1). Given B and S(n) it is 
straightforward to compute S(2n) or S(2n~l) using Corollary 2.4.2: 

• S(2n) is computed as in Algorithm 2.4.4 at the cost of two squarings and two 

multiplications in GF(p 2 ). 
25 • 5(2/1-1) is computed by computing T(2n-\) and T(2n-2) as above at the cost of one 

squaring and two multiplications in GF(p 2 ), and by computing T{2n-3) using 

Corollary 2.4. 2. iv at the cost of two multiplications in GF(p 2 ). 
In both steps we use that pth powering is for free in GF(p 2 ). 

Let n > 2 be some odd positive integer. To compute T(ri) we proceed as follows. Let S(2) 
30 = (3, B, B 2 -2B P ) (cf. Definition 2.4.3 and Corollary 2.4.2.i), let r be such that 2 r < n< 
2*\ let 2 rfl - n = IL^ng with n x e {0,1}, and let k = 2. For i - r-1, r-2, 0 in 
succession replace S{k) by S(2k) and k by 2k ifn t = 0 and S(k) by 5(2^-1) and k by 2k-\ 
if n x ■= 1 . As a result we have that k = n so that T(n) follows from S(n). 
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If n is even we apply the above procedure to the odd part of n followed by one or more 
applications of Corollary 2.4.2.i. 

Theorem 2.4.9. For a randomly selected N-bit number n f the representation T(ri) of the 
5 nth power of g and its conjugates can be computed at an expected cost of 1.5*Af 
squarings and ?>*N multiplications in GF(/? 2 ). 

Proof. Immediate from Algorithm 2.4.8. 

Corollary 2.4.10. For a randomly selected N-bit number n, the representation T(n) of the 
10 nth power of g and its conjugates can be computed at an expected cost of 3*N squarings 
and 9.5*,/V multiplications in GF(p). 

Proof. Application of Theorem 2.4.9 and 2.2 leads to 3*7V squarings and 10.5*7/ 
multiplications in GF(p). In the computation of S(2n-l), however, we compute both 
15 B * T(n-\f and B p * T(n-Xf, which can be done using 4 as opposed to 6 multiplications 
in GF(p) if we combine the computations. So we may expect to be able to save a total of 
(2*N)/2 multiplications in GF(p). 

Remark 2.4.11. We find that the computation of T{ri) for n « q can be performed at an 
expected cost of about 11.9*log 2 (<7) multiplications in GF(p) (cf. assumptions in Remark 
20 2.4.7). Thus, Algorithm 2.4.8 can be expected to be more than 15% faster than Algorithm 
2.4.4. Under the assumption that \ogi{q) « log2(p), exponentiation using Algorithm 2.4.8 
is more than 3 times faster than the fast method from [4] mentioned in 2.4.7. 

2.5 Computing powers of products 

25 Efficient representation and computation of powers of g suffices for the implementation 
of many cryptographic protocols. Sometimes, however, the product of two powers of g 
must be computed. For the standard representations this is straightforward, but in our 
representation computing products is relatively complicated. Here we sketch how the 
problem of computing the product of two powers of g may be solved. Our description is 

30 geared towards cryptographic applications, but can easily be generalized. Let B represent 
a generator g of a subgroup of order q dividing p 2 - p + 1 , as in Lemma 2.3.1. Let y = g k 
for a secret integer k (the private key), and let C = y + yT x + y~ p be y's representation. 
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Obviously, the owner of the private key k can easily arrange the computation of C such 
that the representations C+ of g*_y = g k+x and C_ of ylg = g k ~ x are computed as well. We 
show that if B, C, C+, and C_ are known, then for any pair of integers a, b the 
representation of g a * j; 6 and its conjugates can be computed efficiently. 



Lemma 2.5.1. Let T(m) be the representation of g m and its conjugates, and let A be the 



following 3x3-dimensional matrix over GF(p 2 ): A = 



r B -B p 1 N 

1 0 0 

0 1 0 

V 



Then 







( r(i) > 


T(n) 


= A" * 


no) 









, where T(\) = B, T(0) = 3, and T(-\) = (cf. 2.3.3 and 2.3.4). 



10 Proof. From the definition of A and T(n+\) = B * T(n) - B p * T{n-l) + T{n-2) (cf. 

The proof follows by 









( m ^ 


Corollary 2.4.2.H) it follows that 


T{n) 


= A* 


■Tin -I) 




Jin -I) j 




Jin -2) j 



induction. 



15 



Thus, if for the representations T(u) and T(v) ofg u and g v the wth and vth powers of A are 
known, then the representation T(w+v) of g u+v can simply be computed by applying 
Lemma 2.5.1 with n = u + v to A u+V = A u * A v . We show how A u can be obtained from 
T(u), if 7(w+l) and T(u-l) are known as well. 



Lemma 2.5.2. Given T(0), T(l), T(-l\ T{n), T{n+\), and T(n-l) the matrix A n can be 



f T(n) r(w + l)7(w + 2)Y T(0) 7(1) T(2p 1 



20 computed as A n = 



T(n-l) T(n) T(n + l) 
J{n-2)T(n-\) T(n) 

number of operations in GF(p 2 ). 



Ti-\) 7X0) Ti\) 
Ti-2)Ti-l)TiO)J 



in a small constant 



Proof. Given 7(0), 7(1), T(-l), Tin), Tin+\), and Tin-\), Corollary 2.4.2.ii is used to 
compute Ti±2) and 7(/j±2). As in the proof of Lemma 2.5.1 it follows that 
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7(«) T(n + \)T(n + 2) 
7(«-l) T(n) T(n + \) 
{T(n-2)T(n-\) 7(h) , 



= A" * 



7(0) 7(1) 7(2)"| 
7(-l) 7(0) 7(1) 
7X-2)7X-1)7X0) 



. The proof follows by observing 



that 



7(-2)7(-l)7(0) 
7X-1) 7(0) 7(1) 
7(0) 7(1) 7(2) 



is the product of the Vandermonde matrix 



g g 
1 

g 



-p 



g' 



g 



g' 



-p 



and its transpose, and therefore invertible. The determinant of the latter matrix equals 
T(p+\f - T(p+l), and (Tip+lf - T(p+\)) 2 = B 2p+2 +18*5 P+I - 4*(B 3p + 5 3 ) - 27 e 



5 GF(p). Because /? th powering is for free in GF(p z ), the proof follows. 



10 



15 



20 



Algorithm 2.5.3 for the computation of the representation of g" * y b for integers a, b 
with 1 <a,b<q, given the representation Bofg and the representations C, C+, and 
C- of y,y*g, and y/g, respectively. 

1 . Compute c = alb mod q; 

2. Given B use Algorithm 2.4.8 to compute 7(c+l), 7(c), 7(c-l) (note that the final 
applications of Corollary 2.4.2.i in Algorithm 2.4.8, if any, should be replaced by the 
usual calculation of the full S(2n)); 

3. Use Lemma 2.5.2 with 7(0) = 3, 7(1) = B, 7(-l) = B", 7(c), 7(c+l), and 7(c-l) to 
compute A c ; 

4. Use Lemma 2.5.2 with 7(0) = 3, 7(1) = B, 7(-l) = B", T(k) = C, 7(c+l) = C + , and 
7(c-l) = C- to compute the corresponding power of A, which we denote by A k \ even 
though k is unknown; 

5. Compute A c + k ; 

6. Using Lemma 2.5.1 and A c + * compute 7(c + k); 

7. Use Algorithm 2.4.8 with B replaced by 7(c + k) and n replaced by b to compute the 
representation 7((c + k) * b) = T{a + k * b) ofg" * y b . 



25 



Figure 10A is a flow diagram of the arithmetic method to support generating digital 
signatures, as shown in section 2.5.3. 



Theorem 2.5.4. For randomly selected N-bit numbers a and b, the representation of 
g" * y b and its conjugates can be computed at an expected cost of 3*N squarings and 
30 6*N multiplications in GF(p 2 ) plus a small constant number of 3x3 matrix multiplications 
over GF(p 2 ). 
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Proof. Immediate from Algorithm 2.5.3 and Theorem 2.4.9. 

Corollary 2.5.5. For randomly selected N-bit numbers a and b, the representation of g a * 
5 y b and its conjugates can be computed at an expected cost of 6*N squarings and \9*N 
multiplications in GF(p) plus a small constant number of '3x3 matrix multiplications over 

Proof. Immediate from Algorithm 2.5.3, Corollary 2.4.10, and 2.2. 

10 

Remark 2.5.6. Under the second assumption made in Remark 2.4.7, we find that the 
computation of the representation of g a * y b for a « b « q can be performed at an expected 
cost of about 23.8*log2(<?) multiplications in GF(p). If the more traditional but fast 
method from [4] is used to represent GF(p 6 ), then computation of the representation of g a 
15 * y b takes almost 47*log2(<7) multiplications in GF(p). If elements of <g> are represented 
using a 3 rd degree extension of GF(p 2 ) (cf. Remark 2.4.7), then the computation of the 
representation of g° * y b takes about 51*log 2 (<7) multiplications in GF(p). We conclude 
that both single and double exponentiations can be done much faster using our 
representation than using previously published techniques. 

20 

3. Fast initialization 

We describe three different ways to compute a proper initial B as in Lemma 2.3.1, i.e., an 
25 element B of GF(p ) such that there is a g e G¥(p ) of order q dividing p -p+1 with 

3.1 Straightforward approach 

Algorithm 3.1.1 for the computation of B. 

30 1 . Pick at random a third degree monic irreducible polynomial over GF(p 2 ), and use that 
polynomial for representation of and arithmetic on elements of GF(p 6 ). 

2. Pick at random an element h e GF(p 6 )*; 

3 . Compute the ((p 6 - 1 )/?)th power gofh; 

4. If g = 1 , then return to Step 2; 
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5. Compute B = g + + g p . 

Theorem 3.1.2. Algorithm 3.1.1 can be expected to require 3 irreducibility tests over 
GF{p 2 ) of third degree monic polynomials in GF{p 2 )[X\, and l-l/q exponentiations in 
GF(p 6 )* with exponent (p 6 -l)/q. 

5 

Proof. Immediate from the well known fact that a random monic third degree polynomial 
in GF(p 2 )[X] is irreducible with probability 1/3. 

Although conceptually easy, Algorithm 3.1.1 requires actual representation of and 
manipulation with elements of GF(p 6 ). From an implementation point of view it is 
10 therefore less attractive. Note that a random third degree polynomial H(X) in GF(p 2 )[X] 
can be tested for irreducibility by testing if gcd(X p2 -X, H(X)) = 1 in GF(p 2 )[X]. This 
requires about 2*log 2 (p) squarings and \og 2 (p) multiplications of elements of 
GF(p 2 )[X]/(H(X)\ which can be carried out in 12*log 2 (p) squarings and 69*log 2 (p) 
multiplications in GF(p). 

15 

3.2 Randomized approach using irreducibility 

Algorithm 3.2.1 for the computation of B. 

1. Pick at random an element B f e GF(p 2 )*\GF(p)*; 

2. If X 3 - FX 2 + & p X - 1 € GY{p 2 )[X\ is reducible, then return to Step 1 ; 

20 3. Use Algorithm 2.4.8 with B replaced by B } to compute T{(p 2 -p+\)lq) (i.e., with 
B* =7*1)); 

4. If T((p 2 -p+l)/q) = 3, then return to Step 1 ; 

5. Let B = T((p 2 -p+l)/q). 

25 To justify Algorithm 3.2.1 we use the following two lemmas. 

Lemma 3.2.2. An irreducible polynomial of the form X 3 -B'X 2 X -\ e 
GF(p 2 )[X] is the minimal polynomial of an element of GF(p 6 ) of order > 3 and dividing 

p 2 -p+\. 

Lemma 3.2.3. For a randomly selected B' e GF(p 2 )*\GF(p)* the probability that the 
30 polynomial X 3 - B'X 2 + B' p X - 1 6 GF(p 2 )[X] is irreducible is about one third. 
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Lemma 3.2.2 proves that it makes sense to apply Algorithm 2.4.8 with B replaced by 5' , 
because the role of g in Section 2 is played by some (unknown) element of GF(p 6 ) of 
order dividing p 2 -p+l. This works because g never explicitly occurs in the computations 
in Algorithm 2.4.8 (except to compute 2?, which is replaced by B' for our current 
5 purposes). 

Lemma 3.2.3 proves that on average only about three different values for B' have 
to be selected before an irreducible polynomial is found. The proof of the following 
theorem is immediate. 

Theorem 3.2.4. Algorithm 3.2.1 can be expected to require 3*(l-l/#) irreducibility tests 
10 over GF{p 2 ) of third degree monic polynomials of the formX 3 - B' X 2 + B' P X -\ in 
GF(p 2 )[X], and l-\/q applications of Algorithm 2.4.8 with n = (p 2 -p+l)/q. 

Proof of Lemma 3.2.2. Because 3 -B'X 2 +B }p X-le GF(p 2 )[X] is irreducible its 
roots are in GF(p 6 )*\GF(p 2 )* and thus of order dividing (p 6 -l)/(p 2 -l) = /> 4 +p 2 +l. Denote 

2 4 2, 

15 the roots by h and its conjugates h p and h p = h p , the latter because the order of h 
divides p 4 +p 2 +l. If h 3 = 1, then h p would be equal to h since p = 2 mod 3, and h would 
be in GF(p 2 ) contradicting the irreducibility. Because the order of h cannot be even, it 
follows that the order of h is > 3. Reversing the argument in the proof of Lemma 2.3.1 it 

2 2 

follows that if h is a root, then so is h~ p . Thus either h = h' p 9 or h p = h~ p , or h~ p ~ x = h~ p . 
20 The first two possibilities are in contradiction with the fact that the order of h divides 
p 4 +p 2 +l, that gcd(p 4 +p 2 +l,/?+l) = 3, and that the order of h is > 3, and the last remaining 
possibility leads to the conclusion that the order of h divides p 2 -p+\ . 

Proof of Lemma 3.2.3. This follows from a straightforward counting argument. About 
25 p 2 -p elements of the subgroup of order p 2 -p+\ of GF(p 6 )* are roots of monic irreducible 
polynomials of the formX 3 -B'X 2 +B' P X -\ e GF(p 2 )[X\ (cf. Lemma 2.3.1). Since 
each of these polynomials has three distinct roots, there must be about (p 2 ~p)/3 different 
values for B } in GF(p 2 )*\GF(p)* such that X 3 - B'X 2 + B tp X - 1 is irreducible. 

30 Compared to Algorithm 3.1.1, the arithmetic in GF(p 6 ) is replaced in Algorithm 3.2.1 by 
application of Algorithm 2.4.8. That is much more convenient for the implementation of 
our method, because Algorithm 2.4.8 is required anyhow. We now show that the 
irreducibility tests can be replaced by an application of Algorithm 2.4.8 as well. 
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3.3 Randomized approach without irreducibility 

If B' as in Step 1 of Algorithm 3.2.1 leads to an irreducible polynomial in Step 2, then 
we know that T(n) corresponds to the sum of the conjugates of the nih powers of an 
5 element of order dividing p 2 -p+\ and we know how to compute T{ri) efficiently based on 
B 1 . We now consider what we can say about a thus computed T(n) if the polynomial in 
Step 2 of Algorithm 3.2.1 is not known to be irreducible. This leads to results that are 
very similar to those of Section 2, but the proofs are slightly more cumbersome. 
Let B' be an element of G¥(p 2 ) and let a, /?, and ybc the, not necessarily distinct, roots 
10 of F(X) = X* -B'X 2 +F p X-\ eGF(p 2 )[X\. 

Lemma 3.3.1. 

i. B'=a + p+y; 

ii. a* (3* y= 1; 

15 iii. cP * 0 1 + d 1 * / + f? * f = y n + p~ n + a n for any integer n. 
Proof. Immediate. Note that iii uses ii. , 

If F(X) is irreducible, then it follows from Lemma 3.2.2 that a, /?, and ^are of the form 
20 g, g~ p for some g in G¥(p 6 ) of order > 3 and dividing /> 2 -p+l . If F(X) is reducible, 
we have the following lemma. 

Lemma 3.3.2. If F(X) is reducible, then a, fi y yare in GF(p 2 ). 

Proof. Using the same argument as in the proof of Lemma 3.2.2 we find that a~ p , J3~ p , 
25 and f p are also roots of F(X) . Without loss of generality, we find that either a - a~ p , p 

= JT P , y~ f l 7 > or a= a~ p , y = p~ p , ft = y p , or P = a p , y= P~ p , a = y p . In the first case all 
roots have order divisible by so that they are all in GF(p 2 ). In the second case a has 
order divisible by /H-l and /?and /have order divisible by p 2 -l 9 so that they are again all 

2 2 2 

in GF(p 2 ). In the final case it follows that 1 = a*P*y= a*a p *a p = a*~ p+p = p x ~ p + p 
30 = y ] ~P + P t Because F(X) is reducible, at least one root, say a, is in GF(p 2 ), so that the 
order of a divides gcd(p 2 -/?+l,/? 2 +l) = 3 (since p = 2 mod 3). But from c? = 1, /?= af p , 
and y= p~ p it now follows that a = p= y= a 9 so that the third case does not occur but is 
covered by the first case. 
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Definition 3.3.3. Let V(n) = d 1 + 0* + /. Note that V{\) = and that e GF{p 2 ) 
because = if F(X) is irreducible and a, ft, y e GF(p 2 ) otherwise. 

Lemma 3.3.4. V(np) = V(nf = a n + JT n + y " = 

5 Proof. From the proof of Lemma 3.3.2 it follows that a + /? + y = a _/? + /T p + and, 
more generally, that + /T + f = + f3~ mp + f mp for any integer m. The proof 
follows by taking m=-n. 

Lemma 3.3.5. For any integer n the roots of the polynomial 
X 3 - V(n)X 2 + V(n) p X - 1 e GF(p 2 )[^] are fi, and f. 

10 

Proof. If F(X) is irreducible the result follows from Lemma 2.3.5, so let us assume that 
F(X) is reducible. As in the proof of Lemma 2.3.5 we compare the coefficients with the 
coefficients of the polynomial (X- a?)(X-/?)(X- f). The coefficient of A 2 follows 
from Definition 3.3.3, the constant coefficient from Lemma 3.3.1 .ii, and the coefficient of 
15 Xfrom Lemma 3. 3.1. hi and Lemma 3.3.4. 

It follows from Lemmas 2.3.5 and 3.3.5 that even if F(X) is reducible, V(n) and T(ri) 

play very similar roles, because they can be used in the same way to define a polynomial 
that has the «th powers of the roots of F(X) as its roots. We now show that V(n) can be 

20 computed in the same way as T(n). 

Lemma 3.3.6. F(w+v) = V{u) * V{v) - V{vf * V{u~v) + V(u-2v). 

Proof. Immediate from the definition of V(u) and V(vf = V{-v) (cf. Lemma 3.3.4). 

25 Algorithms 2.4.4 and 2.4.8 are based on Corollary 2.4.2, which is based on Lemma 2.4.1. 
Lemma 3.3.6 is the equivalent of Lemma 2.4.1 with T replaced by V. Therefore, V(n) can 
be computed using Algorithm 2.4.4 or Algorithm 2.4.8 with B replaced by B' and T 
replaced by V. 

Lemma 3.3.7. F(X) e GF(p 2 )[X] is reducible if and only if V(p+l) e GF(p). 

30 

Proof. If F(X) is reducible then a, y e GF(p 2 ) (Lemma 3.3.2) so that ct\ y^ x 
€ GF{p) and thus V{p+\) = ot x + p^ x + y^ x e GF(p). If V(p+l) e GF(p), then V(p+\f 
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= V(p+\), so that^ 3 - V(p+\)X 2 + V(p+\)X-\ has 1 as a root. Because the roots of X 3 - 
V(p+\y? + V(p+\)X-\ are the (p+\)st powers of the roots of F(X) (cf. Lemma 3.3.5), 
it follows that F(X) has a root of order dividing p+\, so that F(JQ is reducible over 
GF(p 2 ). 

5 

This leads to the following algorithm to find a proper initial B as in Lemma 2.3.1 . 

Algorithm 3.3.8 for the computation ofB. 

1. Pick at random an element B' e GF(p 2 )*\GF(p)*; 

2. Use Algorithm 2.4.8 with B replaced by B' and T replaced by Vto compute V(p+\) 
10 (i.e., with B'=T(\)= F(l)); 

3. If e GF(p), then return to Step 1; 

4. Use Algorithm 2.4.8 with B replaced by B' to compute T((p 2 -p+\)/q) (i.e., with 
B' = 7(1)); 

5. If T((p 2 -p+l)/q) = 3, then return to Step 1 ; 
15 6. Lei B = T((p 2 -p+\)lq). 

Figure 7 is a flow diagram of the method of key generation, as shown in section 3.3.8. 

Theorem 3.3.9. Algorithm 3.3.8 computes an element B e GF(p 2 ) such that B = g + g°~ l 
20 + g~ p for an element g of GF(p 6 ) of order q > 3 dividing p 2 - p + 1. It can be expected to 
require 3*(l-l/^r) applications of Algorithm 2.4.8 with n =p+l and l-l/q applications of 
Algorithm 2.4.8 with n=(p -p+l)/^r. 

Proof. The correctness of Algorithm 3.3.8 follows from the fact that F(X) is irreducible 

25 if V(p+l) <£ GF(/?) (Lemma 3.3.7). The run time estimate follows from Lemma 3.2.3 and 
the fact that V(p+l) € GF(p) if F(X) is irreducible (Lemma 3.3.7). 

4. Applications 

30 

The subgroup representation method described in Section 2 can be used in any 
cryptosystem that relies on the (subgroup) discrete logarithm problem. In this section we 
describe some of these applications in more detail. We assume that primes p and q have 
been selected as described in 2.1 such that q divides p 2 -p + 1 and that B e GF(p 2 ) has 
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been determined as representation of a generator of a subgroup of order q, for instance 
using the method described in Section 3. We also discuss how the public key data p, q, 
and B may be represented, and we compare the performance of our method with RSA and 
ECC. 

5 

4.1 Application to the Diffie-Hellman scheme 

Suppose that two parties, Alice and Bob, who both have access to the public key data /?, 
q, B want to agree on a shared secret key. They can do this by performing the following 
variant of the Diffie-Hellman scheme: 
10 1. Alice selects at random an integer a, 1 < a < q - 2, uses Algorithm 2.4.8 to compute 
V A = T{a) e GF(p 2 ), and sends V A to Bob. 

2. Bob receives V A from Alice, selects at random an integer b 9 1 < b < q - 2, uses 
Algorithm 2.4.8 to compute V B = T(b) e G¥(p\ and sends V B to Alice. 

3. Alice receives V B from Bob, and uses Algorithm 2.4.8 with B replaced by V B (i.e., 
15 with V B = T{\)) to compute K AB = T(a) e GF(p 2 ). 

4. Bob uses Algorithm 2.4.8 with B replaced by V A (i.e., with V A = T(\)) to compute 
K AB = T(b)eGF(p 2 ). 

The length of the messages exchanged in this DH variant is about one third of the length 
of the messages in other implementations of the DH scheme that achieve the same level 
20 of security and that are based on the difficulty of computing discfete logarithms in (a 
subgroup of) the multiplicative group of a finite field. Also, our variant of the DH scheme 
requires considerable less computation than those previously published methods (cf. 
Remark 2.4.11). 

Figure 8 is a flow diagram of the method of Diffie Hellman key exchange, as shown in 
25 section 4. 1 , using keys generated by the method of Figure 7. 

4.2 Application to the ElGamal encryption scheme 

Suppose that Alice is the owner of the public key data /?, q, B, and that Alice has selected 
a secret integer k and computed the corresponding public value C = T(k) using Algorithm 
30 2.4.8. Thus, Alice's public key data consists of (p, q, B, Q. Given Alice's public key (p, 
q, B, C) Bob can encrypt a message M intended for Alice using the following variant of 
ElGamal encryption: 

1 . Bob selects at random an integer b,\<b<q-2; 

2. Bob uses Algorithm 2.4.8 to compute V B = T(b) e GF(p 2 ); 
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3. Bob uses Algorithm 2.4.8 with B replaced by C (i.e., with C = 7(1)) to compute K = 
T(b) e GF(p 2 ); 

4. Bob uses K to encrypt M, resulting in the encryption E. 

5. Bob sends (V B ,E) to Alice. 

5 Note that Bob may have to hash the bits representing K down to a suitable encryption key 
length. 

Upon receipt of (V B ,E), Alice decrypts the message in the following manner: 
1. Alice uses Algorithm 2.4.8 with B replaced by V B (i.e., with V B = T(l)) to compute K 
= T(k)eGF(p 2 ); 

10 2. Alice uses K to decrypt E resulting in M 

The message (V B ,E) sent by Bob consists of the actual encryption E, whose length 
strongly depends on the length of M 9 and the overhead V B , whose length is independent of 
the length of M. The length of the overhead in this variant of the ElGamal encryption 
scheme is about one third of the length of the overhead in other implementations of 

15 message-length independent ElGamal encryption (cf. Remark 4.2.1). Also, our method is 
considerably faster (cf. Remark 2.4.11). Figure 9 is a flow diagram of the method of 
ElGamal encryption, as shown in section 4.2, using keys generated by the method of 
Figure 7. 

20 Remark 4.2.1. Our variant of ElGamal encryption is based on the common message- 
length independent version of ElGamal encryption, i.e., where the key K is used in 
conjunction with an (unspecified) symmetric key encryption method. In more traditional 
ElGamal encryption the message is restricted to the key space and 'encrypted' using, for 
instance, multiplication by the key, an invertible operation that takes place in the key 

25 space. In our description this would amount to requiring that M e GF(/? 2 ), and by 
computing E as K*M e GF(p 2 ). Compared to this more traditional variant of ElGamal 
encryption we save a factor three on the length of both parts of the encrypted message, 
for messages that fit in our key space (of one third of the 'traditional' size). 

30 4.3 Application to digital signature schemes 

Let, as in 4.2, Alice's public key data consists of (p, q, B, Q, where C = T(k) and k is 
Alice's private key. Furthermore, assume that C+ = T{k+\) and C_ = T(k-l) are included 
in Alice's public key (cf 2.5). We show how the Nyberg-Rueppel (NR) message 
recovery signature scheme can be implemented using our subgroup representation. 
35 Application of our method to other digital signature schemes goes in a similar way. To 
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sign a message M containing an agreed upon type of redundancy, Alice does the 
following: 

1 . Alice selects at random an integer a, 1 < a < q - 2; 

2. Alice uses Algorithm 2.4.8 to compute V A = T(a) g GF(p 2 ); 
5 3. Alice uses V A to encrypt M, resulting in the encryption E. 

4. Alice computes the (integer valued) hash h of E. 

5. Alice computes s = (/: * A + a) modulo q in the range {0,1, . . q-\ }. 

6. Alice's resulting signature on M is (£». 

As in 4.2 Alice may have to hash the bits representing V A down to a suitable encryption 
10 key length. 

To verify Alice's signature (£» and to recover the signed message M, Bob does 
the following: 

1 . Bob obtains Alice public key data (p y q, B, C, CV, C-). 

2. Bob checks that 0 < s < q; if not failure. 

15 3. Bob computes the hash h of E (using the same hash function used by Alice). 

4. Bob replaces h by -h modulo q (i.e., in the range {0,1, #-1}). 

5. Bob uses Algorithm 2.5.3 to compute the representation V B of g s * y h given a = s, b = 
h, B, C, C+, and 

6. Bob uses V B to decrypt E resulting in the message M 

20 7. If M contains the agreed upon type of redundancy, then the signature is accepted; if 
not the signature is rejected. 
Both for signature generation and signature verification our method is considerably faster 
than other subgroup based implementations of the NR scheme (cf. Remarks 2.4.11 and 
2.5.6. The length of the signature is identical to other variants of the NR scheme that are 

25 message-length independent (cf. Remark 4.2.1): an overhead part of length depending on 
the desired security (i.e, the subgroup size) and a message part of length depending on the 
message itself and the agreed upon redundancy. Similar statements hold for other digital 
signature schemes, such as DSA. 

Figure 1 OB is a flow diagram of the method of generating digital signatures, as shown in 
30 section 4.3., using keys generated by the method of Figure 7. 

4.4 Public key size 

For the applications in 4.1 and 4.2 a public key consisting of (p,q,B,Q suffices. For the 
digital signature application in 4.3 a much larger public key consisting of (/?, q, B, C, CV, 
35 C-) is required. We assume that public keys are certified in some way, and that the 
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certificates contain information identifying the owner of the key. Furthermore, we 
assume that the bit-lengths Pofp and Q of q are fixed system parameters, known to all 
parties in the system, and that P > Q - 2 (cf. 2.1). We discuss how much overhead is 
required for the representation of the public key in a certificate, i.e., on top of the user ID 
5 and other certification related bits. 

If no attempts are made to compress the key, then representing (p,q 9 B,Q takes 
5*P + Q bits, and (p, q, B, C, C+, C_) requires 9*P + Q bits. We sketch one possible way 
how, at the cost of a small computational overhead for the recipient of the public key, /?, 
q, and B can be represented using far fewer than 3*P + Q bits. 

10 First of all, the prime q can be determined as a function / of the user ID and a 

small seed s, for some function / that is known to all parties in the system. The seed could 
consist of a random part s\ and a small additive part s 2 that is computed by the party that 
determines q, for instance by finding a small integer s 2 (of about log 2 (0 bits) such that 
12*(/(ID,si) + s 2 )+7 is prime (and defines q, cf. 2.1). Given q y the smallest (or largest) 

15 root r in {0, 1, q-l} of x 2 - x + 1 modulo q can be found using a single 
exponentiation in GF(q). From P an integer z\ easily follows such that p should be at least 
r + z\*q, and a small integer z 2 (of about log2(P) bits) can be found such that r + z\*q + 
z 2 *q is prime (and defines p 9 cf. 2.1). Thus, assuming that f 9 P 9 and Q are system-wide 
parameters, the primes q and p can be determined given the user ID, s, and z 2 at the cost 

20 of essentially a single exponentiation in G¥(q). Alternatively, and if allowed by P 9 the 
party determining q may pick random s\*s until r (or r + z\*q) itself is prime (and defines 
/?). In that case q and p are fully determined by and can quickly be recovered from the 
user ID and s. 

To compress the number of bits required for the representation of B we assume 
25 that the party that determines B uses Algorithm 3.3.8, but instead of selecting B % at 
random in Step 1 of Algorithm 3.3.8, tries £' =ia + (i+l)c? (cf. 2.1) for / = 2, 3, 4, ...,in 
succession, until Step 6 is reached. The final B 1 can usually be represented using at most 
5 bits (if not, just pick another s\ and start all over again). The corresponding B can be 
determined given B* at the cost of a single application of Algorithm 2.4.8 with B 
30 replaced by B' , as in Step 4 of Algorithm 3.3.8. 

All these computations to recover /?, q, and B can easily be performed by the recipient of 
a certificate. Correctness of the bits provided (i.e., if they lead to primes q and p of the 
right sizes, and to a B representing an order q element) should be verified by the 
certification authority. We conclude that p, q, and B can be selected in such a way that 
35 they can be recovered from the user ID and an additional log2(si) + logziQ) + '°g2CP) + 5 
bits. In practical situations 48 additional bits, i.e., 6 bytes, should be enough. 
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We conclude that for our versions of the DH scheme and ElGamal encryption the public 
key data overhead in the certificates can be limited to 48 + 2*P bits: 48 bits from which 
p, q, and B can be derived, and 2*7* bits for C. For 170-bit subgroups and 1024-bit finite 
fields that is about one third of the size of traditional subgroup public keys. It is 
5 somewhat more than twice the size of an ECC public key, assuming the finite field, 
elliptic curve data, and group size are shared among all parties in the ECC system. If 
curves or finite fields are not shared, then ECC public keys need substantially more bits 
than our method when applied as in 4.1 or 4.2 unless similar ID based methods are used 
for curve and finite field generation (cf. 4.5). 
10 The public key overhead of our method when used in conjunction with digital 

signatures, as in 4.3, is much larger, namely 48 + 6*P bits. This is still competitive with 
traditional subgroup public key sizes, but more than non-shared ECC public key sizes. In 
the next subsection we show how 2*P bits can be saved at the cost of a moderate one 
time computation for the recipient of the public key. 

15 

4.5 Reducing the public key size for digital signature applications 

For digital signature applications of our method the public key contains C, C+, and C_. 
We show that, at the cost of a moderate one time computation for the recipient of the 
public key, it suffices to send just two of C, C+, and C_, thereby reducing the public key 

20 overhead for digital signature applications of our method from 48 + 6*P to approximately 
48 + 4*P bits. An easy way to see this is as follows. Assume that C and C+ are given. 
From Lemma 2.5.2 with 7(0) = 3, 7(1) = 5, T{n) = C and 7\n+l) = C + and the fact that 
the determinant of the matrix A equals 1 it follows that T(n-\) = C_ has to be determined 
such that the determinant of the matrix from Lemma 2.5.2 with T(n) on the diagonal 

25 equals the determinant of the matrix from Lemma 2.5.2 with 7(0) on the diagonal. This 
leads to a third degree equation in 7(/z-l) (i.e., C_) over GF(p 2 ), which can be solved at 
the cost of a small number of p ih powerings in GF(p 2 ). The correct candidate can be 
determined at the cost of at most a few additional bits in the public key. We present a 
conceptually more complicated method that can be used not only to determine C-, but 

30 that can also be used to establish the correctness of C+ (i.e., that C+ is the proper value 
corresponding to B and Q. Let C = y + y~ p , as in 2.5. 

Definition 4.5.1. Let F r € GFQ? )[X] denote the minimal polynomial over GF(p z ) ofr € 
GF(A 

35 
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Definition 4.5.2. Let r, s e GF(p 6 ). The root-product 9f(r,s) of r and s is defined as the 
polynomial with roots {a*fi\ a, /? e GF(p 6 ), F r (a) = 0, F S (J$) = 0}. 

Lemma 4.5.3. Let r, s e GF(p 6 ). Then 9Hrjs) = F rs * F 2 * F 4 e GF(p 2 )[X\. 



Proof. According to Definition 4.5.2 the roots of the root-product 9J(r,s) are r p * s pJ for i, 
7 e {0,2,4}, i.e., rs and its conjugates over GF(p ) (for / = j), rs p and its conjugates (for j 

4 

si + 2 mod 6), and rs^ and its conjugates (for j = i + 4 mod 6). The proof follows. 

1 0 Lemma 4.5.4. Given B and T{p-2), values K, L, M e GF(p 2 ) such that f = Kg 2 + Lg + M 
modulo g 3 - Bg 2 + B p g - 1 can be computed at the cost of a small constant number of 
operations in GF(p 2 ). 



Proof. By raising = Kg 2 + Lg + M to the (p') th power for i - 0, 2, 4, and by adding the 
15 three resulting identities, we find that T(p) = KT(2) + LT(l) + MT(0). Similarly, from 

= Kg + L + Mg~ x and f 2 =K + Lg' 1 + Mg 2 it follows that T(p-\) = KT(l) + LT(0) + 
MT(-l) and T{p-2) = KT(0) + LT(-l) + M7(-2), respectively. With T{p-\) = T(p 2 ) = 
T(l) = B and T(p) = T{\f ~ B p , this leads to the following system of equations over 



20 



GF(p 2 ): 





f 


B 




B p 


V 



7(0) J(l) T(2) 

r(-i) r(0) T(\) 

T(-2)T(-l)T(0) 



Because T(p~2) is given and the matrix on the right hand side is invertible (cf. proof of 
Lemma 2.5.2) the proof follows. 

25 

Lemma 4.5.5. Given B, C, and T(p-2) f the root-product 9i(g, y) can be computed at the 
cost of a small constant number of operations in GF(p 2 ). 

Proof. Since C = y +/" 1 +y~ p we have that F y {X) ^X^-CX 2 * CX- 1 e GF(p 2 )[X]. For 
30 any z e GF(p 6 ) the roots of the polynomial z**F y (X/z) € GF(p 6 )[X] are zy, z/~\ zy~ p . 
Thus, 9f(g,y) e GF(p 2 )[X] can be written as the following product in GF(p 6 )[X]: 

ig'*F y (X*g- x )) * {g'^FyiX+g-^)) * {g~' p *F y (X*ff)) = 
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F>(X*g- ] ) * F y (X*g-^) * F y {X*g°), 

because the product of g and its conjugates equals 1. To compute 9Kg, y) we represent 
GF(p 6 ) as G¥(p 2 )[X]/F g (X) = GF(p 2 )(g), i.e., by adjoining g with g 2 - Bg 2 + BPg - 1 = 0 to 

2 i 

5 GF{p ). In this representation, F y (X*g ) can easily be computed. The remaining two 
factors F y {X*g~ p¥X ) and F y {X*$f) can be computed given a representation of g p in 
GF{p 2 ){g\ i.e., K,L,Me GF(p 2 ) such that g? = Kg 2 + Lg + M. With Lemma 4.5.4 the 
proof now follows. 

10 Lemma 4.5.6. Given B, C, C+, and T{p-2), the correctness of C+ can be checked at the 
cost of a small constant number of operations in GF{p 2 ). 

Proof. Given B and C, the value for C+ is correct if the roots in GFQ? 6 ) of the polynomial 
X* - C+X 1 + CSX- 1 e GF(p 2 )[X] are afi and their conjugates, where a is a root of X 3 - 
15 BX 2 + B p X-\ (i.e., a = g 9 g^ 1 , or g~ p ) and 0 is a root of A 3 - CY 2 + - 1 (i.e., /? = y, 
f~ x , or y^). According to Lemma 4.5.3 the root-product 9i(g,y) e GF(p 2 )[A] is the 
product of the three minimal polynomials of gy, gf~ x , and gy~ p , respectively, so that C+ is 
correct if and only if the polynomial X* - C+A 2 + CSX- 1 e GF(p 2 )[X] divides *^,^). 
The proof now follows from Lemma 4.5.5. 

20 

Lemma 4.5.7. Given B, C, C+, and T(p-2), the corresponding C- can be computed at the 
cost of a small constant number of operations in GF(p 2 ). 

Proof. Without loss of generality we assume that the roots of A 3 - C+X 2 + CSX- 1 are gy 
25 and its conjugates. It follows from Lemma 4.5.3 that the corresponding C_ satisfies X* - 
CJd + CfX- 1 = gcd(9f(g~ ] ,y), 9i(g~ 2 ,gy))- The proof now follows from the observation 
that the root-products 9f(g~\y) and 9Ag~ 2 ,gy) can be computed as in the proof of Lemma 
4.5.5 (with C replaced by C+ for the computation of 9t(g~ 2 ,gy))- 

30 Lemma 4.5.8. Given B, the value of T(p-2) can be computed at the cost of a squareroot 
computation in GF{p), assuming one bit of information to resolve the squareroot 
ambiguity. 

Proof. It follows from Corollary 2.4.2.H, T(p) = B p , and T(p-l) = T(l) = B that T{p-2) = 
35 T(p+1). Let 7\p+l) =x x a + x 2 a l with *i, jc 2 e GF(p). Thus, -(*i + *2) = Hp+Vf + 7(p+l) 
(cf. 2.1). With T{p+\) = g^ 1 + f~ 2 4- g~ 2p+ \ T{p+\f = g~^ x + g-^ 2 + g 2p ~\ and = 
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B*Bt> = (g + g"-' + + g-* + g** 1 ) = g^ 1 +g p - 2 + g- 2pH + g-o- ] + g~<* 2 + g 2 ^ + 3 

= T\p+\f + T(p+l) + 3 it follows that x x + x 2 = 3 - Bt x e GF(p). 

Similarly, it follows from straightforward evaluation that (T(p+\f - T{p+\)f = 
-3*(x, - x 2 ) 2 . With the identity for (T(p+\f - T(p+l)) 2 given in the proof of Lemma 
5 2.5.2 we find that -3*0d - x 2 f = B 2p+1 +\S*B p+l - 4*(5 3p + 5 3 ) - 27 € GF(p). The proof 
follows by using that x\ + *2 = 3 - i?^ 1 . 

It follows from Lemma 4.5.7 that C_ does not have to be included in the public key for 
digital signature applications. A single additional bit is required in the public key if 

10 Lemma 4.5.8 is used by the recipient of the public key to compute T(p-2). The expected 
cost of the computation of T(p-2) using Lemma 4.5.8 is 1.3*log 2 (/?) multiplications in 
G¥(p) if we make the additional assumption that p = 3 mod 4. Without Lemma 4.5.8, and 
without the additional bit, the computation of T(p-2) takes an expected 1 1.9*log2(/?) 
multiplications in GF(p), according to 2.4.11. Note that also C+ does in principle not 

15 have to be included in the public key, because the recipient can determine C+ by factoring 
the ninth degree polynomial 9i{g,y) e G¥(p 2 )[X] into three third degree irreducible 
polynomials in GF(p 2 )[X]. 

4.6 Comparison with RSA and ECC 

20 We give a rough comparison of the performance of RSA, ECC, and our method, which 
we refer to as XTR. We assume that XTR with P = Q = 170 (cf. 4.4) offers 
approximately the same security as 6*,P-bit RSA with a 32-bit public exponent and as 
ECC with a randomly selected curve over a random P-bit prime field and with a 0-bit 
prime dividing the group order. 

25 

4.6.1. Public key sizes. For all systems the number of bits of the public keys depends on 
the way the public keys are generated, because in all cases considerable savings can be 
obtained by including the user ID in the generation process (cf. 4.4). For RSA the user ID 
may be included in the modulus (cf. [7]) and the public exponent may be fixed or 

30 determined as a function of the used ID. As a consequence, the size of the RSA public 
key varies between 3*P and 6*P + 32 bits, depending on whether ID based compression 
methods are used or not. If, in ECC, the curve and finite field information is shared, then 
the public key information consists of P + 1 bits for the public point, assuming its y- 
coordinate is represented by a single bit, irrespective of the inclusion of user ID 

35 information. In a non-shared ECC setup, the finite field, random curve, and group order 
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information take approximately 3.5*P bits, plus a small constant number of bits to 
represent a point of high order. Using a method similar to the one in 4.4 this can be 
reduced to an overhead (on top of the user ID) of, say, 48 bits (to generate the curve and 
finite field as a function of the user ID and 48 random bits) plus P/2 bits (for the group 
5 order information). Thus, non-shared ECC public key sizes vary between 49 + 1.5*P and 
1 + 4.5*P bits. For XTR the public key size varies between 48 + 2*P and 5*P + Q bits if 
no digital signatures are required or 48 + 4*P and 7*P + Q otherwise, as described in 4.4 
and 4.5. 

ID based key generation methods for RSA affect the way the modulus and its secret 
10 factors are determined. The ID based approach for RSA is therefore viewed with 
suspicion and not generally used, despite the fact that no attacks on the methods from, for 
instance, [7] are known. For discrete logarithm based methods (such as ECC and XTR) 
ID based key generation methods affect only the part of the public key that is not related 
to the secret information, i.e., the way the public point is determined is not affected. The 
15 ID based approach is therefore commonly used for discrete logarithm based systems. 
This distinction between RSA on the one hand, and ECC and XTR on the other hand, 
should be kept in mind while interpreting the public key length data in Table 1 . 

4.6.2. Speed. In Table 1 speed is measured as approximate number of multiplications in a 

20 170-bit field. RSA-encryption (or signature verification) with a 32-bit public exponent 
and a 6*P-bit field requires approximately 32 squarings and 16 multiplications in the 
field, which is assumed to be equivalent to approximately 0.8*32 + 16 multiplications, 
and thus about 36 as many, i.e., about 1500, multiplications in a 170-bit field. The 
number of operations required for RSA-decryption (or signature generation) is twice 

25 approximately 3*P squarings and 1.5*P multiplications in a 3*P-bit field, which amounts 
to about 11900 multiplications in a 170-bit field. For the ECC estimates we use the 
optimized results from [3], both for the two separate scalar multiplications in ECC- 
ElGamal encryption, and for the single scalar multiplication in ECC-ElGamal decryption 
and ECC-NR signature generation. The two scalar multiplications in ECC-NR signature 

30 verification can be combined, but it is as yet unclear if the methods from [3] can be used 
for this purpose. For that reason we use the estimate 2575 based on a rather 
straightforward but reasonably fast implementation; it is conceivable that this can be 
improved to, approximately, 2125 using the methods from [3]. The XTR estimates are 
based on 4.2, Remark 2.4.1 1, 4.3, and Remark 2.5.6. 

35 The speeds given in Table 1 should not be confused with actual run times. 

Relatively speaking, actual run times for ECC and XTR should be close to the figures in 
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Table 1. The performance of RSA may be somewhat better because in practical 
implementations a single 510-bit modular multiplication may be faster than nine 170-bit 
modular multiplications. 

5 4.6.3. Signature and encryption size. For the encryption and digital signature sizes we 
assume a message consisting of m bits (including the redundancy) and, in 4.2, 4.3, and 
similar ECC applications, a symmetric encryption method using a 128-bit key. For RSA 
we assume that if the message is too long (to be encrypted or signed with message 
recovery using a single RSA application), then RSA is used in conjunction with the same 
10 symmetric encryption method. 

4.6.4. Key generation. For RSA two independent 3P-bit primes have to be generated. 
For XTR either two independent P-bit primes (assuming zj as in 4.4 is allowed to be non- 
zero), or two dependent P-bit primes (assuming zi as in 4.4 is 0) have to be generated. In 
15 the former case XTR key generation may be expected to be about 3 4 = 81 times faster 
than RSA key generation. In the latter case RSA and XTR key generation is about 
equally expensive for P = 170: on the order of 2*(3P) 4 bit operations for RSA, and on the 
order of P 5 bit operations for XTR. ECC key generation is orders of magnitude slower 
and considerably more complicated than either RSA or XTR key generation. 



Tab 


el 




RSA 




ECC 


XTR (non-shared only) 


shared 


non-shared 


no signing 


with signing 


Public key size 


ID-based 


510 


171 


304 


388 


728 


non ID -based 


1056 


171 


766 


1020 


1360 


Encryption speed 


1500 


3400 


4046 


Decryption speed 


11900 


1700 


2023 


Approximate encryption size 


max(1024,128+w) 


171 +m 


340 + 772 


Digital signature generation speed 


11900 


1700 


2023 


Digital signature verification speed 


1500 


2575 


4046 


Approximate digital signature size 


max( 1024,128+tti) 


170 + 772 


170 + 772 


Key generation 


two independent 
5 1 0-bit primes 


curve with 1 70-bit 
prime order subgroup 


two 170-bit primes 
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5. Security 

For completeness we sketch the straightforward proofs that traditional subgroup discrete 
5 logarithm and DH problems offer the same security as our versions. Let the notation be as 
in Section 2. 

Lemma 5.1. Given y e <g>, the discrete logarithm of y with respect to g can be found 
using a single call to an oracle that given a value v e GF(p 2 ) produces an integer a such 
10 that T(a) = v, if such an integer exists. 

Proof sketch. Let y = g b for some unknown integer b. Let a be the integer produced by an 
oracle call with v = y + f~ x + y~ p e GF(p 2 ), then a = b, or a = b*(p-l) mod (p 2 - p+ 1), 
or a = -b*p mod (p - p + 1). Thus, b can be found be trying at most three different 
15 possibilities. 

Lemma 5.2. Given v € GF(p ) an integer a such that T(a) = v, if such an integer exists, 
can be found using a single call to an oracle that solves the discrete logarithm problem in 

<g> 

20 

Proof sketch. Let v e GF(p 2 ). Determine the roots a, /?, y e GF(p 6 ) of the polynomial A 3 
- vZ 2 + VX- 1 g GF(p 2 )[X], If a, p,y<£ <g> (which can easily be checked), then a with 
T(a) = v does not exist. Otherwise, assume without loss of generality that a e <g>, and 
use the oracle to produce an integer a such that g° = a. This a satisfies T(a) = v. 

25 

Lemma 5.3. Given g a and g b for unknown integers a and b, the value g ab can be 
computed using two calls to an oracle that given T{u) and T(v), for unknown integers u, 
v, determines T(uv), 

30 Proof sketch. Given g a compute its conjugates g a{p ~ x) and g~ op and T{a) = g° + g a{p ~ ]) + 
g' ap . Similarly, compute T(b) and, using g a lg = g a ~\ compute T(a-\). Determine T(ab) 
and T((a-\)b) using two calls to the oracle. Determine the roots a, /?, y e GF(p 6 ) of the 
polynomial X* - T(ab)^ + T(abfX- 1 e GF(p 2 )[^]. We have that {a 9 fi 9 y} = { g°\ 
g ob(p ~ l \ g~ obp }, but it is unclear which of a, /?, y is the value g ob that we are looking for. 

35 For that reason we determine the roots a\ f e G¥(p 6 ) of the polynomial ^ - 
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T((a-l)b)J^ + T{(a-\)bfX - 1 g GF(p 2 )[X|. We have that {a\ /?,/} = { g {a ~ X) \ 
£*-\)b(p-\) 9 g^-WP}^ so that g ab can be determined as {a, fry}n {a'*g\ p *g\ f */}. 

Corollary 5.4. Given g a and g b for unknown integers a and b, the value g ab can be found 
5 with probability e/3 using a single call to an oracle that given T{u) and T{v\ for unknown 
integers u t v, determines T{uv) with probability s. 

Corollary 5.5. Given g a and g b for unknown integers a and b y the value g ab can be 
computed using a single call to an oracle that given T(u) and T(y), for unknown integers 
10 «, v, determines T(uv\ and at most two calls to an oracle that asserts the correctness of 
the resulting value g ab . 

It follows from Corollary 5.5 that in many practical situations a single call to the T(u\ 
T(v) -> T(uv) oracle would suffice to find g ab given g° and g b . As an example we mention 
15 DH key agreement where the resulting key is actually used after it has been established. 

Lemma 5.6. Given T(u) and T(v) for unknown integers w, v, the value T(uv) can be found 
using a single call to an oracle that given g a and g b , for unknown integers a and b, 
determines g ab . 

20 

Proof sketch. Determine the roots a, y e GF(p 6 ) of the polynomial X* - T(u)X 2 + 
T{ufX- 1 e GY{p 2 )[X\ and the roots a\ f g GF(p 6 ) of the polynomial ^ - T{v)^ + 

T{vfX- 1 e GF(p 2 )[X]. We have that a= g u{p ' ])l and a y = g v{p ~ x)J for unknown ij e 
{0, 1, 2}. From a and a' determine g uv ^ p ~^ 3 using a single call to the oracle. Because 
25 the order of g divides p 2 -p + 1 the sum of g" v ^ -1) J and its conjugates equals T(uv). 

6. Extensions 

30 Methods similar to the ones described in this paper can be used for compact 
representation of and fast arithmetic with elements of a subgroup of order dividing p + 1 
in G¥(p 2 )\ as used for instance in the public key system LUC (cf. [9]). For that 
application the savings obtained are smaller than in our application, and the resulting 
comparison to RSA and ECC is less favorable. For that reason we do not elaborate. 
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Instead of representing powers of g (and their conjugates) of order q dividing foip) by 
elements of GF(p 2 ) as opposed to GF(p 6 ), we can represent powers of elements of order 
dividing fa{p) by elements of GF(/? 10 ) as opposed to GF(p 30 ) using the same methods as 
presented in sections 2 to 5. Because 10 + 1 = 1 1 is prime (just as 2 + 1 = 3 is prime) we 
5 can use an optimal normal basis to represent the underlying field GF(p 10 ), but the overall 
construction is more complicated and fewer suitable primes are available while no 
additional savings are obtained. The same holds for any integer x for which 2*x + 1 is 
prime: powers of elements of order dividing <f>e* x (p) can be represented in GF(p 2 * x ) as 
opposed to GF(p 6 * x ), and the arithmetic with those powers in the field GF(p 2 * x ) is 
10 efficient. The case x = 1, as described in detail in this paper, is the most efficient and 
most flexible of this more general construction. For that reason we do not present the 
details of the more general construction. 

We are not aware of constructions similar to the ones described in this paper that obtain 
more savings than obtained by our construction. We have reason to believe that such 
15 constructions do not exist, but at his point this is merely a conjecture for which 
reasonable evidence seems to exist (cf. [2]). 
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Although illustrative embodiments of the present invention, and various 
modifications thereof, have been described in detail herein with reference to the 
accompanying drawings, it is to be understood that the invention is not limited to these 
10 precise embodiments and the described modifications, and that various changes and 
further modifications may be effected therein by one skilled in the art without departing 
from the scope or spirit of the invention as defined in the appended claims. 
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CLAIMS 

What is claimed is: 

5 1. A method of determining a public key having a reduced length and a factor p, 
using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly constructing 
GF(p 6 ), comprising the steps of: 

selecting a number q and a number p such that p**2 - p + 1 is an integer multiple 

10 ofq; 

selecting a number g of order q, where g and its conjugates can be represented by 
B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

15 representing the powers of g using their trace over the field GF(p 2 )\ 

selecting a private key; and 

computing a public key as a function of g. 

20 

2. A method of encrypting a message using the public key generated by the method 
of claim 1 . 

3. A method of decrypting a message using the public and private key generated by 
the method of claim 1. 

25 4. A method of signing a message using the public and private key generated by the 
method of claim 1 . 

5. A method of verifying a signature using the public key generated by the method 
of claim 1. 

6. A method of Diffie Hellman key exchange and related schemes using the public 
30 key generated by the method of claim 1. 

37 

13023 1 



0225-4188 



7. A system for determining a public key having a reduced length and a factor p, 
using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly constructing 
GF(p 6 ), comprising: 

5 

a processor for selecting a number q and a number p such that p**2 - p + 1 is an 
integer multiple of q; 

said processor selecting a number g of order q, where g and its conjugates can be 
10 represented by B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p- 

IX g**(-P); 

said processor representing the powers of g using their trace over the field G¥(p 2 ); 
1 5 said processor selecting a private key; 

a memory coupled to said processor for storing the private key; 
said processor computing a public key as a function of g; and 

20 

a network interface for distributing said public key over a network. 

8. A system of encrypting a message using the public key generated by the system of 
claim 7. 

25 9. A system of decrypting a message using the public and private key generated by 
the system of claim 7. 

10. A system of signing a message using the public and private key generated by the 
system of claim 7. 

11. A system of verifying a signature using the public key generated by the system of 
30 claim 7. 
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12. A system of Diffie Hellman key exchange and related schemes using the public 
key generated by the system of claim 7. 



13. A computer program article of manufacture, comprising: 

5 

a computer readable medium for determining a public key having a reduced 
length and a factor p, using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without 
explicitly constructing GF(p 6 ), comprising: 

10 a computer program means in said computer readable medium, for selecting a 

number q and a number p such that p**2 - p + 1 is an integer multiple of q; 

a computer program means in said computer readable medium, for selecting a 
number g of order q, where g and its conjugates can be represented by B, where Fg(x) = 
15 x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

a computer program means in said computer readable medium, for representing 
the powers of g using their trace over the field GF(p 2 ); 

20 a computer program means in said computer readable medium, for selecting a 

private key; and 

a computer program means in said computer readable medium, for computing a 
public key as a function of g. 

25 

14. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for encrypting a 
message using the public key. 

15. The article of manufacture of claim 13, which further comprises: 

30 a computer program means in said computer readable medium, for decrypting a 

message using the public and private key. 
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16. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for signing a 
message using the public and private key. 

17. The article of manufacture of claim 13, which further comprises: 

a computer program means in said computer readable medium, for verifying a 
signature using the public key. 

18. The article of manufacture of claim 1 3, which further comprises: 

a computer program means in said computer readable medium, for Diffie Hellman 
key exchange and related schemes using the public key. 

19. A business method of determining a public key having a reduced length and a 
factor p, using GF(p 2 ) arithmetic to achieve GF(p 6 ) security, without explicitly 
constructing GF(/? 6 ), comprising the steps of: 

selecting a number q and a number p such that p**2 - p + 1 is an integer multiple 

ofq; 

selecting a number g of order q, where g and its conjugates can be represented by 
B, where Fg(x) = x**3 - Bx**2 + (B**p)x -1 and the roots are g, g**(p-l), g**(-p); 

representing the powers of g using their trace over the field GF(p 2 ); 

selecting a private key; and 

computing a public key as a function of g. 

20. A method of encrypting a message using the public key generated by the business 
method of claim 19. 
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2 1 . The method of decrypting a message using the public and private key generated 
by the business method of claim 19. 

22. The method of signing a message using the public and private key generated by 
the business method of claim 19. 

23. The method of verifying a signature using the public key generated by the 
business method of claim 19. 

24. The method of Diffie Hellman key exchange and related schemes using the public 
key generated by the business method of claim 19. 
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ABSTRACT OF THE DISCLOSURE 



Improvements are obtained in key generation and cryptographic applications in public 
key cryptography, by reducing the bit-length of public keys, thereby reducing the 
bandwidth requirements of telecommunications devices, such as wireless telephone sets. 
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